Dear Trond, > That's a model which is incompatible with the way many people use > the AUTH_SYS authentication model. That is why I only propose (hope for) mountd options which might be used by some people, and others might leave turned off. > ... It is too easy to fake a uid or a gid when you use a protocol > that exposes them in clear on the network ... Trivial to find out what they are, may not be so easy to inject them. --- > ... I don't at all understand your threat model. You appear to be > worried about a threat where a user can somehow usurp gids but not > uids on the client. I am worried about an attacker being able to "do anything" on the client (having "cracked root" on it). In terms of usurping UIDs, he is pretty much defeated: the only privileged UID is root, rendered harmless by root_squash. (Beware that other UIDs e.g. bin or sys may be dangerous on some systems: root_squash as currently implemented is incomplete, insecure.) There is currently no such protection for usurping GIDs, and some (e.g. staff for Debian, or disk shadow etc) are privileged and root-equivalent. We need protection, similar to root_squash. Cheers, Paul Paul Szabo psz@xxxxxxxxxxxxxxxxx http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of Sydney Australia -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
